Cybercriminals are increasingly exploiting the burgeoning interest in Artificial Intelligence (AI) to disseminate ransomware and malware. They are leveraging fake AI tools and sophisticated deepfake networks to ensnare unsuspecting users, leading to data theft, system corruption, and financial extortion. This trend highlights a growing threat landscape where technological advancements are weaponised for malicious purposes.
AI Hype Fuels Cybercrime Surge
Cybercriminals are capitalising on the widespread enthusiasm for AI by creating deceptive AI-themed lures. These include fake AI tool websites and installers for non-existent or malicious AI applications. The primary goal is to trick users into downloading and executing malicious payloads, ranging from information stealers to ransomware.
- SEO Poisoning and Malvertising: Threat actors are employing search engine optimisation (SEO) poisoning and malvertising techniques to ensure their malicious sites rank highly in search results for AI-related terms, increasing their visibility to potential victims.
- Impersonation of Legitimate Tools: Malicious actors often impersonate legitimate AI tools or services, such as ChatGPT or InVideo AI, to appear credible and entice users to download their compromised versions.
Notorious Malware and Ransomware Campaigns
Several notable malware and ransomware strains are being distributed through these AI-centric schemes:
- CyberLock Ransomware: Delivered via fake AI tool websites, CyberLock encrypts files and demands a substantial ransom, often in Monero cryptocurrency.
- Lucky_Gh0$t Ransomware: A derivative of the Yashma ransomware, Lucky_Gh0$t is distributed as a fake ChatGPT installer. It encrypts files and instructs victims to contact attackers via secure messaging platforms.
- Numero Malware: Masquerading as an InVideo AI installer, Numero corrupts Windows graphical user interfaces, rendering systems unusable without data destruction or encryption.
- Lumma Stealer and AMOS: These information-stealing malware variants target Windows and macOS respectively, stealing credentials, cryptocurrency wallets, and browsing history from infected devices. They are often spread through fake AI image and video generator websites.
The Deepfake Network: Storm-2139
Microsoft has identified a sophisticated cybercrime gang, Storm-2139, which is actively involved in developing tools to bypass generative AI guardrails. This network is responsible for creating celebrity deepfakes and other illicit content.
- Key Members Identified: Microsoft has named individuals such as Arian Yadegarnia (Iran), Alan Krysiak (UK), Ricky Yuen (Hong Kong), and Phát Phùng Tấn (Vietnam) as key members of Storm-2139.
- Operational Structure: The Storm-2139 network is organised into creators (developing malicious tools), providers (distributing tools), and users (generating illicit content).
- Legal Action and Disruption: Microsoft has initiated legal action, including a lawsuit in the Eastern District of Virginia, to disrupt the group's operations and seize key infrastructure. This has led to internal discord within the gang.
Protecting Against AI-Driven Threats
Users are advised to exercise extreme caution when downloading AI tools or applications. It is crucial to:
- Verify Sources: Always download software from official websites and reputable sources, avoiding links from promoted search results or social media posts.
- Enable Multi-Factor Authentication (MFA): Implement MFA on all sensitive accounts, including email, banking, and cryptocurrency exchanges.
- Reset Compromised Credentials: If you suspect your system has been compromised, immediately reset all saved passwords and enable unique passwords for every site.
As AI technology continues to advance, so too will the methods employed by cybercriminals. Vigilance and adherence to cybersecurity best practices are paramount in mitigating these evolving threats.
